Stories that broke today.

Splunk released security updates for a critical issue in Splunk Enterprise that allows network-reachable attackers to perform unauthenticated PostgreSQL sidecar file operations, potentially escalating to remote code execution. The vulnerability is tracked as CVE-2026-20253 (CVSS 9.8) and affects Splunk Enterprise versions below 10.2.4 and 10.0.7, with fixes in 10.0.7 and 10.2.4 (Splunk Enterprise 10.4 is not affected). Splunk Cloud is reported as not impacted because it does not use PostgreSQL sidecars. Apply the vendor patches promptly to reduce the risk of exploitation.

Researchers report a maximum-severity authentication bypass in SimpleHelp, tracked as CVE-2026-48558 (CVSS 10), that enables unauthenticated attackers to forge identity tokens and obtain administrative control. The flaw is tied to the app’s OIDC single sign-on handling, where submitted tokens can be accepted without proper cryptographic signature verification, also undermining MFA protections. This matters because compromised instances can execute scripts and pivot into managed endpoints, so organizations should review internet-exposed remote support systems and patch or harden OIDC configurations promptly.

Apache CXF discloses multiple security issues affecting the JCA integration, WS JSON request filtering, and XML parsing behavior, including CVE-2026-50633 and CVE-2026-50634, plus CVE-2026-50628 and CVE-2026-49875. These problems matter because they could enable scenarios like unauthorized code execution, bypassed validation logic, and XML External Entity exposure when systems handle attacker-controlled inputs. Apache recommends upgrading to versions 4.2.2 or 4.1.7 to address the reported issues.

Splunk Enterprise has been impacted by CVE-2026-20253, where the “PostgreSQL Sidecar Service Endpoint” does not properly enforce authentication controls and can be invoked in a way that leads to arbitrary file creation and truncation. The issue matters because it can be chained to achieve pre-auth RCE in certain deployments (notably Splunk Enterprise on AWS), despite the endpoint being intended to be reachable only locally. If you run affected versions of Splunk Enterprise, prioritize reviewing the vendor advisory and applying the recommended mitigations for CVE-2026-20253.

Sygnia attributes attacks by a China-nexus group tracked as Velvet Ant to backdooring Linux authentication paths by altering PAM and OpenSSH login components that control who can sign in. The malware appears to have persisted from at least 2016 by replacing trusted login binaries—sometimes to capture real usernames and passwords and sometimes to execute hidden behavior—so standard recovery steps like password resets and session termination may fail. The same actor has previously targeted other products, including F5 BIG-IP and Cisco NX-OS, and Cisco NX-OS exploitation tied to CVE-2024-20399 (with admin access required) was reported as part of its persistence activity, underscoring why integrity checks for critical authentication software matter.

CISA added CVE-2026-42271, a command injection issue affecting BerriAI LiteLLM (an AI gateway), to its Known Exploited Vulnerabilities catalog after evidence of active exploitation, making urgent patching important. Separately, South Korea’s PIPC issued a record $400 million penalty to Coupang after security and data-handling failures exposed personal information of more than 30 million customers. In a major enforcement action, an international operation dismantled AudiA6, disrupting a crypto laundering pipeline tied to ransomware financing and seizing related infrastructure and forums.

Oracle has released an out-of-band fix for CVE-2026-35273, a critical remote code execution issue in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools, affecting PeopleTools versions 8.61 and 8.62. Security researchers report the flaw was exploited in the wild as a zero-day prior to Oracle’s June 10, 2026 advisory, with targeting observed from May 27 through June 9, 2026. This matters because attackers leveraged the weakness to reach PeopleSoft endpoints associated with /PSEMHUB/hub and /PSIGW/HttpListeningConnector, enabling compromise and follow-on activity such as data theft and operational tooling deployment.

Security researchers disclosed and LangGraph maintainers have patched three issues in LangGraph that can be chained into remote code execution for self-hosted deployments using the SQLite or Redis checkpointer. The affected vulnerabilities are CVE-2025-67644, CVE-2026-28277, and CVE-2026-27022, which respectively involve SQL injection in SQLite checkpoints, unsafe msgpack deserialization, and a RediSearch query injection in @langchain/langgraph-checkpoint-redis. This matters because the chain can allow attackers to turn tampered checkpoint data into server-side code execution, potentially exposing runtime secrets or other connected systems.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed federal agencies to patch an actively exploited Ivanti Sentry vulnerability within three days under Binding Operational Directive (BOD) 26-04. The issue, CVE-2026-10520, affects Ivanti's security gateway appliance (formerly known as MobileIron Sentry) and involves an OS command injection weakness that enables attackers to execute code. CISA added CVE-2026-10520 to its Known Exploited Vulnerabilities (KEV) catalog after reports of widespread in-the-wild exploitation attempts, with security researchers warning that potentially unpatched systems are likely already compromised.

Google confirmed that ShinyHunters has exploited an Oracle-mitigated PeopleSoft flaw as a zero-day for data theft. The issue is tracked as CVE-2026-35273, a critical unauthenticated remote code execution vulnerability affecting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, along with PeopleSoft Enterprise Applications, where Oracle released an out-of-band advisory and mitigations but patches do not appear to be available. Mandiant and Google Threat Intelligence Group observed activity tied to the exploitation from May 27 to June 9, with targeting reportedly concentrated in education and the University of Nottingham named as a confirmed victim.

The maintainers of Spring have released security fixes addressing several serious vulnerabilities in Spring components that could allow attackers to manipulate server behavior and compromise applications. Affected CVEs include CVE-2026-41003 (cross-site scripting via Spring Security form rendering), CVE-2026-40999 (outbound request handling that can enable SSRF-style access to internal targets), and CVE-2026-40998 (XML external entity-related attack surface due to unsafe expression evaluation). Enterprise teams should upgrade to the corrected Spring versions (7.0.6 or 6.5.11) as soon as possible to reduce the risk of active exploitation.

Google has released Chrome 149.0.7827.114/.115 for Windows and Mac (and 149.0.7827.114 for Linux) to address 28 security vulnerabilities. The update includes multiple critical use-after-free issues in components such as Core, DigitalCredentials, WebMIDI, and Media, tracked as CVE-2026-12007, CVE-2026-12008, CVE-2026-12011, and CVE-2026-12013, along with CVE-2026-12009 (Accessibility input validation) and CVE-2026-12010 (GPU heap buffer overflow). Because these flaws could enable crashes or code execution, updating promptly matters for users and organizations running Chrome.

Ubiquiti has disclosed multiple critical vulnerabilities in UniFi OS affecting several products, including UDM, UDR, UNVR, and Express network models. Tracked CVE IDs include CVE-2026-47367, CVE-2026-47369, CVE-2026-47370, CVE-2026-47368, and CVE-2026-48610, with issues ranging from command injection to path traversal and broken access control. Because attackers may achieve high-impact control such as remote exploitation, privilege escalation, or unauthorized configuration changes, administrators should update UniFi OS Server to version 5.1.15 and UID Enterprise Agent to version 1.61.4 as soon as possible.

AMD has released updates addressing multiple hardware security vulnerabilities that can weaken isolation and allow unauthorized access in certain scenarios. The advisories cover issues tracked as CVE-2025-54509 (related to cache coherency behavior impacting secure memory checks) and CVE-2025-10263 (a translation/memory-access flaw with a high severity CVSS), impacting affected AMD platform firmware/BIOS components—especially on selected EPYC generations. This matters because successful exploitation could enable an attacker to bypass intended protections and potentially access or run untrusted code.

Apache Answer has released security fixes for several high-impact flaws, including CVE-2026-25688, CVE-2026-25700, CVE-2026-25699, CVE-2026-33582, and CVE-2026-34033. The issues include cross-site scripting, improper handling of security tokens after profile changes, private data exposure via the Timeline API, a crash caused by malicious TIFF uploads, and HTML injection into email alerts. Organizations using Apache Answer should update promptly to reduce risks to user data, account access, and service availability.